Reductor

Reductor is a RAT, or a Remote Access Trojan, that provides a backdoor with accompanying attacks and user-friendly options for hijacking infected PCs. Besides its more traditional features, Reductor has some unique ones, including a network traffic-manipulating one that facilitates the theft of encrypted data. Its deployments suggest an intimate level of knowledge of the system by the attacker, and any victim always should entrust anti-malware services with removing Reductor.

A Trojan that's Far from a Networking Reductionist

When one thinks that hackers have tried every programming trick imaginable for gaining intelligence and riches, another scheme illuminates the depth of software manipulation. In what is estimated as another campaign by the Turla threat actor (also responsible for the Turla Backdoor, Topinambour, KopiLuwak, and Skipper), a new Remote Access Trojan is altering network communications in novel ways. Although the underlying goal is tracking encrypted data, the Reductor RAT manages it without touching the network packets directly.

For accomplishing this impressive feat, Reductor tags TLS traffic of interest by patching Firefox and Chrome-specific RNG (or 'random number generator') functions. Further configuration details of the Trojan imply, not just deep familiarity with the code of these browsers, but with the hardware of the infected PC, such as the video BIOS and SMBIOS dates. While Reductor can't perform the Man-in-the-Middle styles of attacks that are more often associated with banking Trojans, infections could be operating with the help of 'on the fly' network traffic modifications from the attackers.

Other elements of this possible Turla project are much less exciting, if not less problematic to any targets. Reductor's attack features that malware experts confirm as being of note are:

• Reductor can delete files, digital certificates, temporary cookies and Registry data.
• Reductor can download files from its server, execute them or upload files from the PC.
• Reductor includes a Registry 'timeout' function, although it could apply other effects theoretically.

Far from Reduced, a Trojan Upgraded

After an in-depth analysis by the Kaspersky Lab, some evidence is surfacing of Reductor's having distinct links to the COMpfun Trojan – in more ways than one. Besides sharing many technical similarities, Reductor is getting its installations from the second Remote Access Trojan. However, this delivery method isn't exclusive. Further samples imply that threat actors are using their networking capabilities for swapping out installation files 'on the fly,' and replacing popular programs (such as WinRAR) with infected installers.

Further details about Reductor's Web infrastructure are intriguing equally. Reductor shows no signs of having domains serving it after threat actors hacked them. The mechanism of COMpfun's introduction beforehand in many, if not all cases, also is entirely unknown. For the time being, malware researchers still recommend avoiding illicit software-related resources and scanning all downloads with proper security tools before opening them.

Both COMpfun and Reductor are high-sophistication threats that use live-monitoring techniques and tactics such as COM object hijacking for bypassing admin requirements. Users shouldn't try identifying them by sight and employ appropriately powerful anti-malware tools for deleting Reductor and disinfecting the computer.

Reductor comes for Windows in 32-bit and 64-bit versions, just like the COMpfun Trojan that sometimes installs it. Without a little more than the usual care, that next Internet Download Manager might be something more: the latest tool of the Turla threat actor.